UnixTime

Research Note

ISO 27001 A.6.7 - Remote Working

When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices...

On this page

Requirement

Requirement lens

Remote working is not just VPN access. The control covers information accessed, processed, or stored outside the organization’s premises.

“Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.”

Plain-language meaning

When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices, shared workspaces, and other remote locations.

Remote working should be authorized, risk-assessed, controlled, and monitored. The organization should know who is allowed to work remotely, from where, doing what, with which data, using which equipment, and under which controls.

Why this matters

Remote work changes the control environment. Homes do not usually have office-grade physical security. Public locations expose screens, calls, papers, and devices to strangers. Family members, visitors, shared networks, unmanaged devices, weak Wi-Fi, and lost equipment can all expose information.

Remote access also increases dependence on secure connections, endpoint protection, access control, asset inventory, and user behavior.

Implementation guidance

Implementer focus

Treat remote work as an authorized work pattern with defined conditions, not an informal convenience.

1. Define remote working policy and scope

The policy should define:

  • who may work remotely;
  • which roles and activities are allowed;
  • which locations are acceptable;
  • which information types may be accessed remotely;
  • which devices and networks may be used;
  • what physical controls are expected;
  • what logical access controls apply;
  • what non-work use is allowed or prohibited;
  • who is responsible for each control.

Remote working should only be authorized when sufficient controls are in place.

2. Authorize users, activities, locations, and data

Maintain a record of remote working authorization.

Authorization item Why it matters
User or role Shows who is allowed to work remotely
Activity type Prevents high-risk work being performed in unsuitable locations
Location type Distinguishes home, public, customer site, and temporary locations
Data allowed Limits remote access to what the task requires
Required controls Defines minimum security expectations
Verification method Shows controls were checked before authorization

The auditor will expect the organization to prove this, not just say “remote work is allowed.”

3. Secure remote equipment and connections

Controls may include:

  • organization-managed devices;
  • encryption of storage;
  • screen lock and timeout;
  • endpoint protection and patching;
  • VPN or approved secure access method;
  • multi-factor authentication;
  • restriction of local data storage;
  • secure configuration;
  • logging and monitoring;
  • remote wipe capability where appropriate;
  • asset inventory entries for remote equipment.

Remote equipment should be included in the asset register where it is used to access, process, or store organization information.

4. Control physical and environmental risks

Remote workers should protect information from family members, visitors, the public, and unauthorized viewing.

Practical controls include:

  • private workspace where possible;
  • clear desk and secure storage;
  • privacy screens where appropriate;
  • secure printing restrictions;
  • no unattended papers or devices;
  • avoiding confidential calls in public places;
  • preventing shoulder-surfing;
  • secure disposal or return of printed material.

Public locations need stricter limits. Some work should not be performed in coffee shops, airports, or shared public areas.

5. Limit information available remotely

Remote access should be limited to information needed for authorized tasks. Avoid broad access because it is convenient.

This links to A.5.15 Access Control, A.5.18 Access Rights, and A.5.12 Classification of Information.

6. Define non-work use rules

Remote working equipment should have clear rules for personal use, games, personal browsing, personal accounts, family use, and installation of unapproved software.

The issue is not moral preference. Non-work use can introduce malware, account mixing, data leakage, and evidence ambiguity.

Audit guidance

Auditor focus

Test whether remote working is authorized and controlled in practice. A policy alone is weak evidence.

Auditors should verify that authorized remote workers, activities, locations, data access, equipment, and controls are recorded and reviewed.

Audit testing should include:

  • remote working policy and procedures;
  • remote working authorization register;
  • risk assessment for remote working;
  • equipment asset register entries;
  • secure connection configuration;
  • access control restrictions;
  • endpoint security and encryption evidence;
  • user awareness and training records;
  • rules for non-work use;
  • verification evidence that controls are in place;
  • samples of users working from home, public locations, customer sites, and other remote environments where applicable.

The auditor should challenge vague statements such as “staff may work remotely if they use VPN” because remote working also creates physical, behavioral, device, data, and location risks.

Evidence examples

Evidence quality

Strong evidence shows authorization, risk assessment, technical controls, physical expectations, user awareness, and operating verification.

Evidence What it proves
Remote working policy Rules and conditions are documented
Remote working authorization register Users, locations, activities, and data access are approved
Remote working risk assessment Risks and controls were considered
Asset register entries Remote equipment is known and owned
VPN/secure access configuration Connections are protected
MFA and access control records Remote access is restricted
Endpoint encryption and patch evidence Equipment is protected
Awareness records Users know remote working expectations
Non-work use rules Personal use risks are controlled
Review records Remote work permissions and controls are maintained

Strong evidence

  • Authorized remote workers, activities, locations, and data access are recorded.
  • Remote access is limited to required information and tasks.
  • Equipment is managed, encrypted, patched, and included in the asset register.
  • Secure connections and MFA are enforced.
  • Physical controls for home and public work are defined and communicated.
  • Non-work use rules are clear.
  • Controls are verified before or during remote working authorization.
  • Remote working risks are reviewed when roles, locations, data, or threats change.

Weak evidence

  • VPN access exists but no remote working authorization process.
  • No record of who is allowed to work remotely or with what data.
  • Personal devices used without documented controls.
  • Remote equipment missing from the asset register.
  • Public-location work has no restrictions.
  • No physical security expectations for home work.
  • Broad access granted because remote access is technically possible.
  • No rule on family/shared use or personal software.

Common failures

Implementation watchouts

Remote working fails when the organization controls the network connection but ignores the remote environment.

Failure Why it matters
VPN-only thinking Physical, endpoint, data, and behavior risks remain
No authorization register The organization cannot prove who may work remotely
Personal device ambiguity Ownership, control, monitoring, and evidence become unclear
Remote equipment not inventoried Lost or unmanaged devices are missed
No data limits Sensitive information becomes available in unsuitable locations
No public-location rules Screens, paper, and calls can be exposed
No control verification The organization assumes controls exist

Exam traps

Exam focus

Remote working is about protecting information outside organization premises. Do not reduce it to VPN.

Trap Correct interpretation
VPN satisfies remote working VPN helps, but physical, device, access, data, and user controls are also needed
Home is automatically secure Home spaces may be accessible to family members or visitors
Coffee-shop work is equivalent to home work Public locations have higher shoulder-surfing, paper, call, and device risks
All remotely accessible information is acceptable Remote access should be limited to what is needed
Remote devices are outside asset inventory Remote equipment used for organization information should be tracked
Personal use is harmless Non-work use can introduce malware, leakage, and control ambiguity

KB-ready summary

  • A.6.7 requires security measures for remote work to protect information outside organization premises.
  • Remote work should be authorized by user, activity, location, data, equipment, and required controls.
  • Controls should cover physical security, secure connections, endpoints, access, awareness, and non-work use.
  • Remote equipment should be included in the asset register where relevant.
  • Remote access should be limited to information required for the task.
  • Audit evidence should show authorization, risk assessment, control verification, and ongoing review.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • People controls
  • Remote working
  • Audit

Note Metadata

Aliases: A.6.7, Remote Working

Source: 03 Annex A People Controls/A.6.7 Remote Working.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

10

links

01
02

Implementation artifacts

Templates and working records that help operate the control.

03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.